LCQ18: Data leakage incident
****************************

     Following is a question by the Hon Lee Wing-tat and a written reply by the Secretary for Constitutional and Mainland Affairs, Mr Stephen Lam, in the Legislative Council today (June 22):

Question:

     According to the information of the Privacy Commissioner for Personal Data (Privacy Commissioner), given that the PlayStation® Network (PSN) system was intruded by hackers in April this year, resulting in the leak of user account information, the Privacy Commissioner met with the Deputy Managing Director of Sony Computer Entertainment Hong Kong Limited (SCEH) after the incident to understand the situation; SCEH pointed out that between April 17 and 19 this year, information of some PSN user accounts, including 400 000 Hong Kong accounts, was leaked during an illegal and unauthorised intrusion into its network; and the account information leaked included name, address, country, email address, date of birth, PSN password and login, and PSN online ID, but SCEH could not ascertain whether the credit card data in those accounts were leaked. In this connection, will the Government inform this Council:

(a) whether it knows if among the 400 000 Hong Kong accounts, the number of those with information being leaked has at present been ascertained; if so, the total number of users involved, as well as the details of information being leaked, and whether credit card data are included; if not, the reasons for that;

(b) whether it knows if the Privacy Commissioner has approached SCEH to find out if it had taken all practicable steps to protect the information of its customers against intrusion by hackers; if so, the details of the steps taken by SCEH, or if it has been found out that SCEH had not taken the relevant steps, the reasons for that; if the Privacy Commissioner has not approached SCEH to find out such information, the reasons for that; and

(c) given that PSN services across the globe were temporarily suspended after the aforesaid incident, and subsequently when the services were gradually resumed in other countries and regions, the services in Hong Kong still have not been resumed, whether it knows if it is because the Privacy Commissioner had required SCEH to upgrade the security protection of the PSN to a satisfactory level before resumption of the PSN services; if so, the details; if not, the reasons for that?

Reply:

President,

     My reply to the three parts of the question is as follows:

(a) According to information provided by Sony Computer Entertainment Hong Kong Limited (SCEH) to the Privacy Commissioner for Personal Data (the Commissioner), the data leakage incident involved about 400 000 Hong Kong accounts and the account information compromised included name, address, country, email address, birth date, PlayStation® Network (PSN) password and login, and PSN online identity. SCEH was not certain about the number of users involved or whether credit card information had been compromised. SCEH confirmed to the Commissioner that, since the data leakage incident, they had so far received no reports of misuse of their customers' personal information as a result of the data leakage. Similarly, the Office of the Privacy Commissioner for Personal Data (PCPD) has not received any such complaints.

(b) The Commissioner met with the Deputy Managing Director of SCEH many times to find out the detailed accounts of the incident and the remedial measures taken. At the meeting on June 8 with the President and CEO of Sony Global Solutions Inc. (SGS), who is also the newly appointed Chief Information Security Officer of Sony Network Entertainment International LLC, the Commissioner was assured that SGS had identified the cause of the intrusion and taken adequate and appropriate remedial measures to prevent further exploitation of the same vulnerability (details of the remedial measures could not be disclosed here for confidential and security reasons). PCPD was given to understand that SGS is an independent subsidiary of Sony Corporation, which provides security and IT services to other entities within the Sony Group worldwide, had no involvement in the operation of the PSN system, and is called to investigate into this hacking incident.

(c) In the course of enquiries with SCEH, the Commissioner had told SCEH that the PSN services should only be resumed after adequate and appropriate remedial measures had been taken, but it was up to SCEH to decide whether or when they should resume the services. Shortly after the Commissioner had received SGS's assurance as stated in part (b) of the reply above, SCEH announced on June 14 this year the immediate resumption of PSN services in Hong Kong.

Ends/Wednesday, June 22, 2011
Issued at HKT 14:38

NNNN